The Hacker News — Cyber Security, Hacking, Technology News

Is your PC infected with Ransomware? Either pay the ransom amount to the attacker or spread the infection further to get the decryption keys.

Yes, this new technique has been employed by cyber criminals with the latest round of ransomware threat, dubbed Popcorn Time.

Initially discovered by MalwareHunterTeam, the new Popcorn Time Ransomware has been designed to give the victim's a criminal way of getting a free decryption key for their encrypted files and folders.

Popcorn Time works similar to other popular ransomware threats, such as the Crysis Ransomware and TeslaCrypt, that encrypt various data stored on the infected computer and ask victims to pay a ransom amount to recover their data.

But to get their important files back, Popcorn Time gives victims option to pay a ransom to the cyber criminal or infect two other people and have them pay the ransom to get a free decryption key.

What's even worse? The victims are encouraged to pay the ransom of 1 Bitcoin (~$750) within seven days to receive decryption keys stored on a remote server owned by Popcorn Time's developers.

If the ransom is not paid within this duration, the decryption key will be permanently deleted and retrieve important files will become impossible.

Moreover, the code of the ransomware is incomplete that may indicate that if victims enter the wrong decryption key four times, the Popcorn Time ransomware will start deleting victims' files.

Here's How the Popcorn Time Ransomware Threat Works:

Once infected, the Popcorn Time Ransomware will check to see if the ransomware has been run already on the PC. If yes, the ransomware will terminate itself.

If not, the Popcorn Time Ransomware will either download various images to use as backgrounds or start encrypting the files using AES-256 encryption. The encrypted files will have the ".filock" or ".kok" extension appended to it.

While encrypting the data, the ransomware will display a fake screen that pretends to be the installation of the program.

As soon as the encryption is finished, it will convert two base64 strings, save them as ransom notes known as restore_your_files.html and restore_your_files.txt, and then automatically display the HTML ransom note asking for 1 Bitcoin.

Want a Free Decryption Key? Infect Two More People

The Popcorn Time author provides a "nasty way" for a victim to get the free decryption key: Spread the Ransomware to two other people via the victim's "referral" link."

If those two infected victims pay the ransom, then the first victim will supposedly get a free decryption key.

To make this possible, the ransom note contains a URL pointing to a file located on the Popcorn Time's TOR server.

Entering Wrong Decryption Key 4 Times and You are Screwed Up!

When executed, the Popcorn Time ransomware will display a lock screen filled in with various information relating to victim's particular installation.

The victim will also find a field where he/she can enter the decryption key given to them by the attacker after paying the ransom.

The source code for Popcorn Time contains a function that suggests the threat to delete files if the victim enters the wrong decryption code four times.

Since the Popcorn Time ransomware is still under development at the time of writing, many things are unclear and may change with time.

Uber was in controversies at the mid of this year for monitoring the battery life of its users, as the company believed that its users were more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.

Uber is now tracking you even when your ride is over, and, according to the ride-hailing company, the surveillance will improve its service.

Uber recently updated its app to collect user location data in the background.

So, if you have updated your Uber app recently, your app's location tracking permissions have changed, allowing the app to monitor your location before and five minutes after your trip ends, even if you have closed the app.

A popup on the Uber app will ask you, "Allow 'Uber' to access our location even when you are not using the app?" You can click "Allow" or "Don't Allow" in response to this request. If you don't allow it, Uber won't track you.

According to the company, this information helps not only drivers find riders without making phone calls, but also Uber monitor driver service, making sure riders are picked up and dropped off on the proper side of the street in order to enhance safety.

Here's what Uber said in a statement:

"We're always thinking about ways we can improve the rider experience from sharpening our ETA estimates to identifying the best pick up location on any given street. Location is at the heart of the Uber experience, and we're asking riders to provide us with more information to achieve these goals."

Location data during a trip is collected during the following time periods:

When you're interacting with Uber and the app is foregrounded and visible.

When you are on a trip: from the time you request a trip until the trip is ended or canceled by the driver, even if the app is running in the background, but not visible to you.

Up to 5 minutes after the driver ends a trip, even if the Uber app is close in the background.

Uber announced the move last year which prompted a complaint [PDF] with the Federal Trade Commission. At te time, the Electronic Privacy Information Center said that "this collection of user's information far exceeds what customers expect from the transportation service."

It's unexpected from a big company like Uber "to collect location information when customers are not actively using the app." However, "the FTC failed to act, and Uber is now tracking users non-stop."

How to Stop Uber From Tracking Your Location

If you are worried, there's a way to get around it. The company also explains how to turn this feature off. Here's what to do to shut down this feature:

Get Professional Ethical Hacking Certifications: CEH, CHFI, CISM, CISA, CISSP Trainings. This course will give you the material and training you need to pass any of five professional hacker certifications.

In his blog post published today, the researcher demonstrated how a malicious attacker could have sent the victim's inbox to an external site, and created a virus that attached itself to all outgoing emails by secretly adding a malicious script to message signatures.

Since the malicious code is in the message's body, the code will get executed as soon as the victim opens the boobytrapped email and its hidden payload script will covertly submit victim's inbox content to an external website controlled by the attacker.

This issue is because Yahoo Mail failed to properly filter potentially malicious code in HTML emails.

"It would be possible to embed a number of HTML attributes that are passed through Yahoo's HTML filter and treated specially," Pynnönen says in his blog post.

Pynnönen says he found the vulnerability by force-feeding all known HTML tags and attributes in order to the filter that Yahoo uses to weed out malicious HTML, but certain malicious HTML code managed to pass through.

"As a proof of concept I supplied Yahoo Security with an email that, when viewed, would use AJAX to read the user's inbox contents and send it to the attacker's server," Pynnönen says.

Pynnönen reported a similar vulnerability in the web version of the Yahoo! Mail service earlier this year for which he earned $10,000. He also reported a stored XSS vulnerability in Flickr to Yahoo in December 2015 for which he earned $500.

The Russian government has introduced a draft bill that proposes prison sentences as punishment for hackers and cyber criminals creating malicious software used in targeting critical Russian infrastructure, even if they have no part in actual cyber attacks.

The bill, published on the Russian government’s website on Wednesday, proposes amendments to the Russian Criminal Code and Criminal Procedure Code with a new article titled, "Illegal influence upon the critical informational infrastructure of the Russian Federation."

The article introduces punishment for many malicious acts, including the "creation and distribution of programs or information, which can be used for the destruction, blocking or copying data from the Russian systems."

When suspects found as part of any hacking operation, they will face a fine between 500,000 and 1 Million rubles (about $7,700 to $15,400) and up to five years in prison, even if the hacking causes little or no harm.

However, if the cyber attacks lead to serious consequences or create a threat of such outcome, the bill orders the prison term of up to ten years for those involved in it.

Moreover, hackers obtaining unauthorized access to protected data have to pay a penalty of up to 2 Million rubles (approx. $31,500) and can face up to five years of forced labor and six years in prison.

The proposed bill was drafted in a short period of time after Russian President Vladimir Putin recently signed an updated doctrine on Russia's Information Security.

The doctrine is aimed at "reinforcing the country’s sovereignty, territorial integrity, maintaining political and social stability, protecting human and civil rights and liberties, as well as crucial IT infrastructure."

According to the document, "the opportunities of cross-border circulation of data are increasingly used to achieve geopolitical, military and political (in contravention of international law), terrorist, extremist, and other illegitimate goals to the detriment of international security," the website reads.

The new bill introducing criminal punishment for hackers has been submitted to the State Duma, the lower chamber of the Russian Parliament.

The move is great because Russian hackers are always in the news for cyber attacks, malware, POS exploit, banking Trojans, exploit kits, and many cyber threats.

A Turkish hacking group is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets.

The points earned can later be redeemed for various online click-fraud and hacking tools.

Surface Defense prompts other hackers in Turkey to sign up and asks them to attack political websites using a DDoS tool known as Balyoz, translated as Sledgehammer.

According to Forcepoint security researchers, who discovered this program, Balyoz works via Tor and requires a username and password to log in. The tool then uses a DoS technique to flood targets with traffic.

Here's How the Balyoz Tool Works

Once a user downloads the Surface Defense collaboration software from hacking forums and registers, the program then runs locally on a computer, prompting the user to download DDoS attack tool in order to assault the limited list of target sites.

The DDoS traffic is then routed through Tor to disrupt online services. For every 10 minutes the tool attack a website with fraudulent traffic, the participant receives a point.

The points can then be used to obtain rewards including a more powerful version of the Balyoz DDoS attacking tool, "click-fraud" bots that automatically clicks on ads for pay-to-click (PTC) services like Ojooo and Neobux PTC to generate revenue, and a program that has ability to infect PCs and scare the victim with images and sounds.

The DDoS Tool Contains Hidden Backdoor

The DDoS platform software also contains a hidden backdoor that allows the Surface Defense operator to "hack the hackers," raising concerns over the operator's actual motives.

"The backdoor is a very small Trojan and its sole purpose is to download, extract and execute another .NET assembly from within a bitmap image," Forcepoint researchers said.

"It also downloads a secondary 'guard' component which it installs as a service. This 'guard' component ensures that if the backdoor is deleted then it will be re-downloaded and also installed as a service."

The list of predefined targets includes Kurdish websites of the Kurdistan Workers Party (PKK), its military wing the People's Defense Force (HPG), an organization by NATO members, Kurdish radio and TV stations, Kurdish hacking crews, and more.

Other politically-motivated targets include the Armenian Genocide website, the German Christian Democratic Party -- which is led by Angela Merkel -- and many Israeli websites.

"Users can also suggest new websites to add to the list of targets," Forcepoint researchers said. "There is a live scoreboard for participants to see how they compare to other participants."

The researchers have managed to track down the IP address of the Surface Defense software, despite running on the Dark Web through Tor.

This development helped researchers gathered some information on the hacker's identity, like the operator might act under the handle "Mehmet," runs two YouTube channels advertising the Balyoz DDoS tool, and the operator is possibly based in the Turkish city of Eskisehir.

For more technical details on the Surface Defense platform, you can head on to the Forcepoint's 30-page research paper [PDF] titled, "Sledgehammer - Gamification of DDoS attacks (for ideology, profit & mischief)."

A hacker who was arrested last year for hacking into celebrities' email accounts to steal the unreleased movie and television scripts, their private messages, and sex tapes to sell them has finally been sentenced five years in prison.

Alonzo Knowles, a 24-year-old Bahamian man, was convicted by U.S. District Judge Paul A. Engelmayer in Manhattan on Tuesday.

Knowles, who maintained a list of emails and phone numbers of 130 celebrities, pleaded guilty in May to charges of identity theft and criminal copyright infringement.

The sentence is twice longer than the amount of years the federal sentencing guidelines suggested, as the judge felt that Knowles "would be a clear and present danger to commit the very same crime again," the New York Times reports.

The hacker expressed remorse in court and had already handed over unreleased scripts, songs, and $1,900 in cash.

The authorities arrested Knowles late December and seized his laptop that was later destroyed by investigators. The authorities found folders containing stolen data that includes:

Social Security numbers for actors and professional athletes

Private, explicit images

Scripts for unreleased TV shows and movies and even contract documents

Emails and phone numbers of at least 130 celebrities

Sex tapes of celebrities

The hacker was arrested after flying to New York from the Bahamas to sell 15 movie and TV shows scripts and the Social Security Numbers (SSNs) of a movie actress and two athletes to an undercover U.S. Department of Homeland Security agent for $80,000.

According to prosecutors, Knowles appeared anxious to continue exploiting celebrities once released even after pleading guilty.

The judge cited the book the hacker claimed he would someday write to "shake up Hollywood," with plans to sell them at $35 per copy, in which Knowles said: "When I get out, I'm going to shake up Hollywood."

The book, Knowles claimed, will contain information that can "jeopardize their careers, their security, and their personal relationships."

The affected celebrities were not identified, though the judge acknowledged that the court received a statement from 20th Century Fox. However, Knowles apologized for his conduct on Tuesday, saying he regretted "the stupid things I did and said."